Distributions: SNI Issues

Created on 9 Sep 2016  路  7Comments  路  Source: nodesource/distributions

Hi there, while provisioning a box recently my colleague @tkellen and I ran into a frustrating problem where the server hosting nodesource's GPG key was requiring SNI support but the machine being provisioned did not have a version of python on it that supported SNI.

In the end we retrieved the key out of band and used Ansible to copy it from our local machine onto the box and everything was fine. This seemed a lower risk option than upgrading python.

I'm curious if using SNI is really necessary or if it's simply a side effect of yall using a service like cloudflare ssl which uses SNI under the hood. Anyway, wanted to point out that this could be a road block for folks trying to upgrade Node from nodesource on older systems.

Most helpful comment

@chrislea do you realise that this choice is actually breaking (for example) current, supported and up-to-date OSs like Ubuntu 14.04?

All 7 comments

Yes, we're aware. We've just switched our hosting of these repositories to be backed by CloudFront. We did this because the load on the servers was getting to the point where it was making the repositories go unresponsive at times, often right after a new release, based on the load. So we needed to move to some kind of CDN solution. In general:

1) We (NodeSource) think traffic should be encrypted whenever it's feasible to do so.
2) We can either not use a CDN for our repos, which causes things to become unavailable under load, or we can use a CDN that will require SNI to work with HTTPS.
3) Either of the options in #2 is not ideal because both will have negative effects on some subset of users, but we think the second option is better overall.

Unfortunately the costs associated with using a HTTPS enabled CDN without using SNI are prohibitive for us.

@chrislea do you realise that this choice is actually breaking (for example) current, supported and up-to-date OSs like Ubuntu 14.04?

Hello @hyperized,
We are aware that this may be a breaking change to some workflows. However, the overall increase in availability and improved security is a net positive. There are several referred options for clients experiencing instability due to this change.

Any hints regarding workarounds for systems like Ubuntu 14.04?

If I am not mistaken, an out-of-the-box apt is not able to connect to the deb.nodesource.com repo if it requires SNI, right?

Also see #388

@mpdude, this should work:

wget -qO - https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

@tkellen I think this works to fetch the key, but later on apt still has issues connecting to the repo. See #388.

Was this page helpful?
0 / 5 - 0 ratings